summaryrefslogtreecommitdiff
path: root/test/e2e/run_userns_test.go
Commit message (Collapse)AuthorAge
* enable errcheck linterPaul Holzinger2022-04-29
| | | | | | | | The errcheck linter makes sure that errors are always check and not ignored by accident. It spotted a lot of unchecked errors, mostly in the tests but also some real problem in the code. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Add support for --userns=nomapDaniel J Walsh2022-04-21
| | | | | | | | | | | From a security point of view, it would be nice to be able to map a rootless usernamespace that does not use your own UID within the container. This would add protection against a hostile process escapping the container and reading content in your homedir. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* bump go module to version 4Valentin Rothberg2022-01-18
| | | | | | | | | | | | | Automated for .go files via gomove [1]: `gomove github.com/containers/podman/v3 github.com/containers/podman/v4` Remaining files via vgrep [2]: `vgrep github.com/containers/podman/v3` [1] https://github.com/KSubedi/gomove [2] https://github.com/vrothberg/vgrep Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Use PODMAN_USERNS environment variable when running as a serviceDaniel J Walsh2022-01-17
| | | | | | | | Fixes: https://github.com/containers/podman/issues/11350#issuecomment-1011562526 Also add inspect information about the idmappings if they exists. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Use HaveLen(x) instead of Expect(len(y)).To(Equal(x))Ed Santiago2021-12-02
| | | | | | sed -i -e 's/Expect(len(\(.*\)))\.To(Equal(\(.*\)))/Expect(\1).To(HaveLen(\2))/' test/e2e/*.go Signed-off-by: Ed Santiago <santiago@redhat.com>
* Convert strings.Contains() to Expect(ContainSubstring)Ed Santiago2021-11-30
| | | | | | | ...done manually, not via sed, because some of the inner expressions include nested commas. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Oops! Manual edits to broken testsEd Santiago2021-11-22
| | | | | | | | | | | | | | | | | | | | | | Commit 2 of 2: there were (still are?) a bunch of string checks that didn't have a corresponding Expect(). IIUC that means they were NOPs. Try to identify and fix those. The first few were caught by Go linting, "ok is defined but not used". When I realized the problem, I looked for more using: $ ack -A2 LineInOutputStartsWith ...and tediously eyeballing the results, looking for matches in which the next line was not Expect(). If test was wrong (e.g. "server" should've been "nameserver"), fix that. Also: remove the remove-betrue script. We don't need it in the repo, I just wanted to preserve it for posterity. Signed-off-by: Ed Santiago <santiago@redhat.com>
* e2e tests: clean up antihelpful BeTrue()sEd Santiago2021-11-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | Many ginkgo tests have been written to use this evil form: GrepString("foo") Expect(that to BeTrue()) ...which yields horrible useless messages on failure: false is not true Identify those (automatically, via script) and convert to: Expect(output to ContainSubstring("foo")) ...which yields: "this output" does not contain substring "foo" There are still many BeTrue()s left. This is just a start. This is commit 1 of 2. It includes the script I used, and all changes to *.go are those computed by the script. Commit 2 will apply some manual fixes. Signed-off-by: Ed Santiago <santiago@redhat.com>
* e2e tests: use Should(Exit()) and ExitWithError()Ed Santiago2021-07-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | e2e test failures are rife with messages like: Expected 1 to equal 0 These make me cry. They're anti-helpful, requiring the reader to dive into the source code to figure out what those numbers mean. Solution: Go tests have a '.Should(Exit(NNN))' mechanism. I don't know if it spits out a better diagnostic (I have no way to run e2e tests on my laptop), but I have to fantasize that it will, and given the state of our flakes I assume that at least one test will fail and give me the opportunity to see what the error message looks like. THIS IS NOT REVIEWABLE CODE. There is no way for a human to review it. Don't bother. Maybe look at a few random ones for sanity. If you want to really review, here is a reproducer of what I did: cd test/e2e ! positive assertions. The second is the same as the first, ! with the addition of (unnecessary) parentheses because ! some invocations were written that way. The third is BeZero(). perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.To\(Equal\((\d+)\)\)/Expect($1).Should(Exit($2))/' *_test.go perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.To\(\(Equal\((\d+)\)\)\)/Expect($1).Should(Exit($2))/' *_test.go perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.To\(BeZero\(\)\)/Expect($1).Should(Exit(0))/' *_test.go ! Same as above, but handles three non-numeric exit codes ! in run_exit_test.go perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.To\(Equal\((\S+)\)\)/Expect($1).Should(Exit($2))/' *_test.go ! negative assertions. Difference is the spelling of 'To(Not)', ! 'ToNot', and 'NotTo'. I assume those are all the same. perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.To\(Not\(Equal\((0)\)\)\)/Expect($1).To(ExitWithError())/' *_test.go perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.ToNot\(Equal\((0)\)\)/Expect($1).To(ExitWithError())/' *_test.go perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.NotTo\(Equal\((0)\)\)/Expect($1).To(ExitWithError())/' *_test.go ! negative, old use of BeZero() perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.ToNot\(BeZero\(\)\)/Expect($1).Should(ExitWithError())/' *_test.go Run those on a clean copy of main branch (at the same branch point as my PR, of course), then diff against a checked-out copy of my PR. There should be no differences. Then all you have to review is that my replacements above are sane. UPDATE: nope, that's not enough, you also need to add gomega/gexec to the files that don't have it: perl -pi -e '$_ .= "$1/gexec\"\n" if m!^(.*/onsi/gomega)"!' $(grep -L gomega/gexec $(git log -1 --stat | awk '$1 ~ /test\/e2e\// { print $1}')) UPDATE 2: hand-edit run_volume_test.go UPDATE 3: sigh, add WaitWithDefaultTimeout() to a couple of places UPDATE 4: skip a test due to bug #10935 (race condition) Signed-off-by: Ed Santiago <santiago@redhat.com>
* bump go module to v3Valentin Rothberg2021-02-22
| | | | | | | | | We missed bumping the go module, so let's do it now :) * Automated go code with github.com/sirkon/go-imports-rename * Manually via `vgrep podman/v2` the rest Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* libpod: read mappings when joining a container usernsGiuseppe Scrivano2020-09-10
| | | | | | | | | when joining an existing container user namespace, read the existing mappings so the storage can be created with the correct ownership. Closes: https://github.com/containers/podman/issues/7547 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* Merge pull request #6991 from mheon/change_passwd_ondiskOpenShift Merge Robot2020-07-29
|\ | | | | Make changes to /etc/passwd on disk for non-read only
| * Make changes to /etc/passwd on disk for non-read onlyMatthew Heon2020-07-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bind-mounting /etc/passwd into the container is problematic becuase of how system utilities like `useradd` work. They want to make a copy and then rename to try to prevent breakage; this is, unfortunately, impossible when the file they want to rename is a bind mount. The current behavior is fine for read-only containers, though, because we expect useradd to fail in those cases. Instead of bind-mounting, we can edit /etc/passwd in the container's rootfs. This is kind of gross, because the change will show up in `podman diff` and similar tools, and will be included in images made by `podman commit`. However, it's a lot better than breaking important system tools. Fixes #6953 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Switch all references to github.com/containers/libpod -> podmanDaniel J Walsh2020-07-28
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Turn on a bunch more remote testsDaniel J Walsh2020-07-22
|/ | | | | | We need to be more specific about the remote tests we turn off. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add username to /etc/passwd inside of container if --userns keep-idDaniel J Walsh2020-07-07
| | | | | | | | | | If I enter a continer with --userns keep-id, my UID will be present inside of the container, but most likely my user will not be defined. This patch will take information about the user and stick it into the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Change buildtag for remoteclient to remote for testingDaniel J Walsh2020-07-06
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* move go module to v2Valentin Rothberg2020-07-06
| | | | | | | | | | | | | | | With the advent of Podman 2.0.0 we crossed the magical barrier of go modules. While we were able to continue importing all packages inside of the project, the project could not be vendored anymore from the outside. Move the go module to new major version and change all imports to `github.com/containers/libpod/v2`. The renaming of the imports was done via `gomove` [1]. [1] https://github.com/KSubedi/gomove Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* test: add tests for --user and volumesValentin Rothberg2020-06-29
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* libpod: specify mappings to the storageGiuseppe Scrivano2020-06-24
| | | | | | | | | | | | specify the mappings in the container configuration to the storage when creating the container so that the correct mappings can be configured. Regression introduced with Podman 2.0. Closes: https://github.com/containers/libpod/issues/6735 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Don't ignore --user flag in rootless --userns keepidDaniel J Walsh2020-06-17
| | | | | | | | Currently podman run --userns keep-id --user root:root fedora id The --user flag is ignored. Removing this makes the code work correctly. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* podman: assume user namespace if there are mappingsGiuseppe Scrivano2020-04-24
| | | | | | | if some mappings are specified, assume there is a private user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* podman: implement userns=keep-idGiuseppe Scrivano2020-04-24
| | | | | | | add missing implementation for userns=keep-id and enable the user namespaces tests. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Force integration tests to passBrent Baude2020-04-21
| | | | | | Failing tests are now skipped and we should work from this. Signed-off-by: Brent Baude <bbaude@redhat.com>
* userns: support --userns=autoGiuseppe Scrivano2020-04-06
| | | | | | | automatically pick an empty range and create an user namespace for the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* podman: support --userns=ns|containerGiuseppe Scrivano2019-07-25
| | | | | | | | allow to join the user namespace of another container. Closes: https://github.com/containers/libpod/issues/3629 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* use imagecaches for local testsbaude2019-05-29
| | | | | | | | | when doing localized tests (not varlink), we can use secondary image stores as read-only image caches. this cuts down on test time significantly because each test does not need to restore the images from a tarball anymore. Signed-off-by: baude <bbaude@redhat.com>
* userns: add new option --userns=keep-idGiuseppe Scrivano2019-05-24
| | | | | | | it creates a namespace where the current UID:GID on the host is mapped to the same UID:GID in the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* test: enable userns e2e tests for rootlessGiuseppe Scrivano2019-04-08
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* userns: use the intermediate mountns for volumesGiuseppe Scrivano2019-03-21
| | | | | | | | | | | when --uidmap is used, the user won't be able to access /var/lib/containers/storage/volumes. Use the intermediate mount namespace, that is accessible to root in the container, for mounting the volumes inside the container. Closes: https://github.com/containers/libpod/issues/2713 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Enable rootless integration testsbaude2019-03-19
| | | | Signed-off-by: baude <bbaude@redhat.com>
* ginkgo status improvementsbaude2019-03-08
| | | | | | | a series of improvements to our ginkgo test framework so we can get better ideas of whats going on when run in CI Signed-off-by: baude <bbaude@redhat.com>
* Run integrations test with remote-clientbaude2019-01-14
| | | | | | | | | | | | Add the ability to run the integration (ginkgo) suite using the remote client. Only the images_test.go file is run right now; all the rest are isolated with a // +build !remotelinux. As more content is developed for the remote client, we can unblock the files and just block single tests as needed. Signed-off-by: baude <bbaude@redhat.com>
* Separate common used test functions and structs to test/utilsYiqiao Pu2018-11-16
| | | | | | | Put common used test functions and structs to a separated package. So we can use them for more testsuites. Signed-off-by: Yiqiao Pu <ypu@redhat.com>
* switch projectatomic to containersDaniel J Walsh2018-08-16
| | | | | | | | | | Need to get some small changes into libpod to pull back into buildah to complete buildah transition. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1270 Approved by: mheon
* Show duration for each ginkgo test and test speed improvementsbaude2018-07-28
| | | | | | | | | | | | | | Because our tests are getting so long, we want to be able to audit which tests are taking the longest to complete. This may indicate a bad test, bad CI, bad code, etc and therefore should be auditable. Also, make speed improvements to tests by making sure we only unpack caches images that actually get used. Signed-off-by: baude <bbaude@redhat.com> Closes: #1178 Approved by: mheon
* urfave/cli: fix regression in short-opts parsingValentin Rothberg2018-07-09
| | | | | | | | | | | Add the actual argument, not the one we're looking for when searching the to-be-translated short-opt string. Otherwise, we're likely to hit an infinite loop. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1066 Approved by: rhatdan
* test/e2e/run_userns_test.go: new fileGiuseppe Scrivano2018-05-04
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #690 Approved by: mheon